Skip to content

manifest: Add mcuboot #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 10, 2025
Merged

manifest: Add mcuboot #120

merged 6 commits into from
Nov 10, 2025

Conversation

@asmellby
Copy link
Contributor

@asmellby asmellby commented Nov 7, 2025

Add mcuboot fork to manifest.

Sysbuild defaults to RSA signing. Use ECDSA on Series 2 to be compatible with root of trust.

While MCUboot uses imgtool for signing applications, the bootloader binary itself must be signed by Simplicity Commander to be securely booted by the SE on Series 2 devices. Integrate a custom signing script to sign the bootloader image.

This ensures that west build/west flash work out of the box on devices that enforce secure boot.

@asmellby
manifest: Add mcuboot
28828b4 
Add mcuboot fork to manifest.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
@asmellby
soc: silabs: Default to ECDSA-P256 signing with sysbuild
aea4b3f 
Sysbuild defaults to RSA signing. Use ECDSA on Series 2 to be
compatible with root of trust.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
@asmellby
zephyr: Automatically sign MCUboot bootloader images
d41bb74 
While MCUboot uses imgtool for signing applications, the bootloader
binary itself must be signed by Simplicity Commander to be securely
booted by the SE on Series 2 devices. Integrate a custom signing
script to sign the bootloader image.

This ensures that `west build`/`west flash` work out of the box on
devices that enforce secure boot.

The script assumes that `commander` is available on the path.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
@asmellby
ci: Build with_mcuboot sysbuild sample
241da92 
Build `with_mcuboot` sample app for representative devices.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
@asmellby asmellby requested a review from a team as a code owner November 7, 2025 10:20
jhedberg
jhedberg previously approved these changes Nov 7, 2025
View reviewed changes
@asmellby
zephyr: Locate Simplicity Commander using find_program
e5d49af 
Use find_program() to locate Simplicity Commander, either from
SLT or a system install location.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
@asmellby
ci: Add action to install dependencies with SLT
01d5950 
Add Simplicity Commander to SLT package file.

Signed-off-by: Aksel Skauge Mellbye <[email protected]>
jerome-pouiller
jerome-pouiller reviewed Nov 7, 2025
View reviewed changes
.github/actions/action-slt-setup/action.yml
- name: Install packages
shell: bash
run: |
slt install -f ${{ inputs.package-file }} --no-lock
Copy link
Contributor

@jerome-pouiller jerome-pouiller Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the benefit of downloading slt rather than directly downloading commander?

Copy link
Contributor Author

@asmellby asmellby Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

slt enables version management of the installed tools, and has other tools available. If the user uses the Network Analyzer or Energy Profiler tools installed via slt, it would be inconvenient if the SDK uses a different way of getting Commander.

@jerome-pouiller
Copy link
Contributor

jerome-pouiller commented Nov 7, 2025

scripts/west_commands/sign.py already uses commander. It does not relies on slt to find the commander binary:

  • Do we plan to also support west sign for series-2?
  • Should we update west sign?
  • Should we support slt and direct commander run (two ways for doing the same thing)?

@asmellby
Copy link
Contributor Author

asmellby commented Nov 7, 2025

I'm not sure if west sign makes sense. The CMake build system was changed from calling west sign for imgtool to directly calling imgtool from CMake. The philosophical argument was that west is not a mandatory tool for Zephyr, so CMake shouldn't call it. So we're left with the standalone CLI command only, and it's questionable whether there is any value in simply wrapping commander convert --secureboot.

west flash on the other hand can certainly be updated to be able to discover Commander through SLT. But that's something that needs to happen in the main tree, not here.

When it comes to supporting Commander both standalone and discovered through SLT, IMO the answer is "yes". The SLT variant is the most integrated, but being able to directly point at a specific binary to use makes sense to me as an option for situations where SLT isn't available or there is a strong desire to not use it.

@asmellby asmellby merged commit 10f618d into SiliconLabsSoftware:main Nov 10, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhedberg jhedberg jhedberg approved these changes

@jerome-pouiller jerome-pouiller jerome-pouiller approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asmellby @jerome-pouiller @jhedberg